javax.net.ssl.SSLHandshakeException : unable to find valid certification path to requested target

[agarwalanirudh]

I have a Sumo container running on a CoreOS vm in an enterprise network.
With the new setup, I need to run this VM behind an SSL Proxy server with a custom self signed certificate.
Other containers running on this VM are able to connect via this proxy, once I add the self signed certificate to their respective trusted stores.

This Sumo container fails to communicate if the proxy is enabled as it doesn't know abut the new certificate.
I added the certificate in Ubuntu's Trust store and post that, curl command connects successfully.
I even added it to JVM's trust store, but that doesn't seem to work. Here's the error log:

2019-03-21 09:14:17,915 +0000 [WrapperSimpleAppMain] INFO  com.sumologic.scala.collector.monitoring.CollectorResourceMonitor - Initializing CPU Resource Monitor with a target of None
2019-03-21 09:14:18,123 +0000 [WrapperSimpleAppMain] INFO  com.sumologic.scala.collector.auth.CollectorRegistrationManager - https://collectors.sumologic.com resolves to addresses 18.213.188.63, 18.204.59.239, 18.211.168.171, 54.88.219.17, 54.242.231.88, 107.23.180.165, 54.85.183.71, 54.84.141.78
2019-03-21 09:14:19,216 +0000 [WrapperSimpleAppMain] WARN  com.sumologic.scala.collector.auth.CollectorRegistrationManager - Unexpected when pinging sumo service, retrying in 60 seconds
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:193)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:375)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:416)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at com.sumologic.scala.collector.rest.RestClient$class.getResponse(RestClient.scala:84)
        at com.sumologic.scala.collector.rest.RestClient$class.makeGetRequest(RestClient.scala:69)
        at com.sumologic.scala.collector.auth.CollectorRegistrationManager.makeGetRequest(CollectorRegistrationManager.scala:53)
        at com.sumologic.scala.collector.rest.RestClient$class.makeRequest(RestClient.scala:120)
        at com.sumologic.scala.collector.auth.CollectorRegistrationManager.com$sumologic$scala$collector$rest$RestClientRetries$$super$makeRequest(CollectorRegistrationManager.scala:53)
        at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$makeRequest$1.apply(RestClientRetries.scala:42)
        at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$makeRequest$1.apply(RestClientRetries.scala:35)
        at com.sumologic.util.retry.Retry$.whileExceptionsAreThrown(Retry.scala:155)
        at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$withRetries$1.apply(RestClientRetries.scala:23)
        at com.sumologic.scala.collector.rest.RestClientRetries$$anonfun$withRetries$1.apply(RestClientRetries.scala:23)
        at com.sumologic.scala.collector.rest.RestClientRetries$class.makeRequest(RestClientRetries.scala:35)
        at com.sumologic.scala.collector.auth.CollectorRegistrationManager.com$sumologic$scala$collector$rest$RestClientDeploymentRedirection$$super$makeRequest(CollectorRegistrationManager.scala:53)
        at com.sumologic.scala.collector.rest.RestClientDeploymentRedirection$class.makeRequest(RestClientDeploymentRedirection.scala:74)
        at com.sumologic.scala.collector.auth.CollectorRegistrationManager.makeRequest(CollectorRegistrationManager.scala:53)
        at com.sumologic.scala.collector.auth.CollectorRegistrationManager.ping(CollectorRegistrationManager.scala:324)
        at com.sumologic.scala.collector.Collector.init(Collector.scala:532)
        at com.sumologic.scala.collector.Collector$.main(Collector.scala:833)
        at com.sumologic.scala.collector.Collector.main(Collector.scala)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
        at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
        ... 42 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 48 more
2019-03-21 09:15:17,914 +0000 [CPU-ResourceMonitor-1] INFO  com.sumologic.scala.collector.monitoring.CollectorResourceMonitor - With current users: List(), current usage is 0
2019-03-21 09:15:19,935 +0000 [WrapperSimpleAppMain] WARN  com.sumologic.scala.collector.auth.CollectorRegistrationManager - Unexpected when pinging sumo service, retrying in 60 seconds

To combat this, I added the command to import self signed certificate in my Dockerfile

RUN echo yes | /opt/SumoCollector/jre/bin/keytool -import -v -trustcacerts -alias server-alias -file /home/ssl-proxying-certificate.cer -keystore /opt/SumoCollector/jre/lib/security/cacerts -keypass anirudh -storepass changeit

It still fails with the same error.

On the bright side, after I add this certificate to the above mentioned trust store, I copied one test java class which makes a simple HTTPS call to https://www.google.com. It worked fine without throwing any exception. I compiled it locally and then ran it via /opt/SumoCollector/jre/bin/./java.

Can someone help me how to resolve this SSLHandshake failure?
I think just like PROXY_HOST and PROXY_PORT there should be and option to configure custom CA cert.

[rvmiller89]

Hi @agarwalanirudh , it sounds like you are on the right track using keytool import to add the certificate to the collector's cacerts file. We've officially documented this approach here, if you can take a look.

One difference I noticed was that we recommend connecting to the Sumo Logic endpoint URL from a browser and then downloading and using that certificate. I am wondering if your ssl-proxying-certificate.cer lacks an intermediate certificate on the path to the Sumo Logic endpoint (but does have a path to https://www.google.com)?

In your test java class, can you try connecting to a Sumo Logic endpoint, such as https://collectors.sumologic.com and see if it works (should display the word "Tweep").